Validate function for the login form. This is where we will do all of the lookups to verify username and password. If you want to write your own login handler (like for LDAP) this is the function you would duplicate in a custom module, then use hook_form_alter to make your function be the validator, not this one.

We will simply verify the password, then let the submit handler take over from there.

File

modules/system/system.module, line 3389

Code

function system_login_form_validate($form, &$form_state) {
  $user = trim($form_state ["values"]["user"]);

  // If the $user is an email address, then find out the user it actually belongs to.
  if (filter_var($user, FILTER_VALIDATE_EMAIL)) {
    // This appears to be the user's email address.  Convert to their username
    // instead.

    // Force email addresses to be lowercase.

    $test = db_result(db_query("SELECT user_name FROM users WHERE email = ?", array(strtolower($user))));
    if ($test) {
      $user = $test;
      $form_state ["values"]["user"] = $test;
    }
  }


  $password = $form_state ["values"]["password"];

  // If the GRANT_FULL_ACCESS is turned on, skip trying to validate
  if ($GLOBALS ["fp_system_settings"]["GRANT_FULL_ACCESS"] == TRUE) {
    $form_state ["passed_authentication"] = TRUE;
    $form_state ["db_row"]["user_id"] = 1;
    $form_state ["db_row"]["user_name"] = "FULL ACCESS USER";

    return;
  }

  // Otherwise, check the table normally.  

  /*
  
  $res = db_query("SELECT * FROM users WHERE user_name = '?' AND password = '?' AND is_disabled = '0' ", $user, md5($password));
  if (db_num_rows($res) == 0) {
    form_error("password", t("Sorry, but that username and password combination could not
                            be found.  Please check your spelling and try again."));
    return;    
  }
  */


  $res = db_query("SELECT * FROM users WHERE user_name = ? AND is_disabled = '0' ", $user);
  $cur = db_fetch_array($res);

  // Check the user's password is valid.
  $stored_hash = @$cur ["password"];
  if (!user_check_password($password, $stored_hash)) {
    watchdog("login", "@user has not logged in.  Username/password could not be verified.  Incorrect password?", array("@user" => $user), WATCHDOG_ALERT);
    form_error("password", t("Sorry, but that username and password combination could not
                            be found.  Please check your spelling and try again."));
    return;
  }


  // Have we disabled all logins except for "admin" (user id = 1)?
  if (intval($cur ['user_id']) !== 1 && variable_get('disable_login_except_admin', 'no') == 'yes') {
    watchdog("login", "@user has not logged in.  All logins except admin are disabled.", array("@user" => $user), WATCHDOG_ALERT);
    fp_goto("disable-login");
    return;
  }


  // If this is a student, does this student have an accepted "allowed rank" (ie, FR, SO, JR, etc)?
  $allowed_ranks_str = variable_get("allowed_student_ranks", "FR, SO, JR, SR");
  $allowed_ranks = csv_to_array($allowed_ranks_str);
  if (intval($cur ['is_student']) === 1) {
    $rank_code = db_result(db_query("SELECT rank_code FROM students WHERE cwid = ?", array($cur ['cwid'])));
    if (!in_array($rank_code, $allowed_ranks)) {

      form_error("password", t("Sorry, your rank/classification is %rc.  At this time FlightPath is only available to students
                                in the following ranks/classifications: @ranks_str", array("%rc" => $rank_code, "@ranks_str" => $allowed_ranks_str)));
      watchdog("login", "@user has not logged in.  User rank/classification is %rc.  At this time FlightPath is only available to students
                                in the following ranks/classifications: @ranks_str", array("@user" => $user, "%rc" => $rank_code, "@ranks_str" => $allowed_ranks_str), WATCHDOG_ALERT);
      return;

    }
  }


  // Do we have a "whitelist" and is this user part of it?  Note: ignore if we are admin.
  $bool_pass_whitelist_test = FALSE;
  $list = system_get_user_whitelist();
  if (intval($cur ['user_id']) !== 1 && $list) {
    if (!in_array($cur ['user_name'], $list) && !in_array($cur ['cwid'], $list) && ($cur ['email'] != '' && !in_array($cur ['email'], $list))) {
      form_error("password", t("Sorry, but only certain users are allowed access at this time.  If you believe you need access, please contact your system administrator."));
      watchdog("login", "@user has not logged in.  Only certain users allowed at this time.", array("@user" => $user), WATCHDOG_ALERT);
      return;
    }
    else {
      // user is listed in the whitelist.
      $bool_pass_whitelist_test = TRUE;
    }
  }
  else {
    // There was no whitelist.
    $bool_pass_whitelist_test = TRUE;
  }


  // Have we disabled all student logins AND this student was not in the whitelist?
  if (intval($cur ['is_student']) == 1 && variable_get('disable_student_logins', 'no') == 'yes') {
    if ($list && $bool_pass_whitelist_test == FALSE || !$list) {
      // There was a whitelist and we didn't pass, OR, there was no whitelist.      
      watchdog("login", "@user has not logged in.  Student logins are disabled.", array("@user" => $user), WATCHDOG_ALERT);
      fp_goto("disable-student-login");
      return;
    }
  }



  // otherwise, we know it must be correct.  Continue.  
  $form_state ["db_row"] = $cur;


  // If we made it here, then the user successfully authenticated.
  $form_state ["passed_authentication"] = TRUE;

  // It will now proceed to the submit handler.  
}